9b7d317656f88d4aed0c094af7385dfb39ed2a40890521a4e0c2b438027f116c

General

Target

3b9e004e649dd60ffb22f3c7e3764b5e.exe
Size

340KB
MD5

3b9e004e649dd60ffb22f3c7e3764b5e
SHA1

2d15dd868ce767d6a2cbb586d151b78d64e29930
SHA256

9b7d317656f88d4aed0c094af7385dfb39ed2a40890521a4e0c2b438027f116c
SHA512

7c2728d0eefc1bad62542debe5d8399f8b4779b1e3f0b8203ccebf88161abb438ce0d196c55131a47dbda2891cc0c5c33fc5ed5e23608ee278d169f787a4e09a
SSDEEP

6144:6u7RLTyVyjO4Q2Mt+uTMCb+56gWIFeytHdGvdregAdF7LjtNdT:xuVy64Mt+uwCb+DFeOcuPL

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
2116	ppt.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	ppt.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe
2116	ppt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2668	explorer.exe
Token: SeShutdownPrivilege	2668	explorer.exe
Token: SeShutdownPrivilege	2668	explorer.exe
Token: SeShutdownPrivilege	2668	explorer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2116	ppt.exe
2668	explorer.exe
2668	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2116	ppt.exe
2116	ppt.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2116	2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe	29
PID 2044 wrote to memory of 2116	2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe	29
PID 2044 wrote to memory of 2116	2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe	29
PID 2044 wrote to memory of 2116	2044	3b9e004e649dd60ffb22f3c7e3764b5e.exe	29

C:\Users\Admin\AppData\Local\Temp\3b9e004e649dd60ffb22f3c7e3764b5e.exe
"C:\Users\Admin\AppData\Local\Temp\3b9e004e649dd60ffb22f3c7e3764b5e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\ppt.exe
  "C:\Users\Admin\AppData\Local\ppt.exe" -gav C:\Users\Admin\AppData\Local\Temp\3b9e004e649dd60ffb22f3c7e3764b5e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2116

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ppt.exe

Filesize
153KB

MD5
8094d821608c7e301b19ac3204c29559

SHA1
3e106a3e57bc47d573802de031bb3d234697a822

SHA256
0c3216963c32a043aeaff37b50684d50f10fb78c460413eb02326fbc665e7a62

SHA512
56c52149f909e25e3635f7d923745416da5b49892512a7e75846e3b92066ec39939b12d313df68f1dbc96df44e6d7213a9d01524aaf17c5f22c599ad9fea8bde

Download Submit
C:\Users\Admin\AppData\Local\ppt.exe

Filesize
224KB

MD5
fd8d8811c506686d74de72faa80ae39e

SHA1
c5da195365fbc3d16cea2581b239c0ca4dc8eb1c

SHA256
0ff2ed9249197e9fd3b39888541627094672dd5a29aa9c469324e251580c4b3f

SHA512
b43b0ba3dd2821ca904a7b8aa709f81c92669bea63a2578eafe08c611c5e928e11dc8bc7999cd950477540c0f1b0d0dde4b0f0bbe65f4a9b561de2596945d90e

Download Submit
\Users\Admin\AppData\Local\ppt.exe

Filesize
283KB

MD5
628c8bfd28dbcd565f79355de1bf60f4

SHA1
8ea2a7a99b1641a1738a80efbd845f06b34543f0

SHA256
1acb6039efcd8604607e3678f675eac8a63423b807a8ffe19e6b75f298b09614

SHA512
a2765ea9a8696ba12d8bab09ef7f3fa3c2d29b92136582898a707b2c13d96be4510ef791b5fb5c5d359d0f69ece2a143d1967a82d10913bdcab04e155b73ed53

Download Submit
\Users\Admin\AppData\Local\ppt.exe

Filesize
201KB

MD5
518ea48b1ad5c16ea35a2c3dad135efc

SHA1
88bb1cc7a26186f4db3a157a5b5f5a3492dad68e

SHA256
9e32fa646feb30f015b1dc995ea039416e2859447b82ac05e0f82f09799a40ed

SHA512
5038682201ee112052a113617ceb69c48e64ba1893a26d8a9bb8f8ba4aad3ea143bc53b32affb92b3026401f620ee27fa1780351850b30cd818dcc259c294cea

Download Submit
memory/2044-1-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2044-0-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2044-2-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2044-3-0x0000000001EA0000-0x0000000002164000-memory.dmp

Filesize
2.8MB

Download
memory/2044-12-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-29-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-30-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-16-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-17-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-18-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-35-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-20-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-21-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-22-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-26-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-27-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-28-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-14-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-34-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-31-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2116-32-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2668-33-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2668-15-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2668-19-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads